forked from bokysan/docker-postfix
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrun.sh
239 lines (203 loc) · 8.87 KB
/
run.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
#!/bin/sh
. /commons.sh
echo -e "******************************"
echo -e "**** POSTFIX STARTING UP *****"
echo -e "******************************"
# Check if we need to configure the container timezone
if [ ! -z "$TZ" ]; then
TZ_FILE="/usr/share/zoneinfo/$TZ"
if [ -f "$TZ_FILE" ]; then
echo -e "‣ $notice Setting container timezone to: ${emphasis}$TZ${reset}"
ln -snf "$TZ_FILE" /etc/localtime
echo "$TZ" > /etc/timezone
else
echo -e "‣ $warn Cannot set timezone to: ${emphasis}$TZ${reset} -- this timezone does not exist."
fi
else
echo -e "‣ $info Not setting any timezone for the container"
fi
# Make and reown postfix folders
mkdir -p /var/spool/postfix/ && mkdir -p /var/spool/postfix/pid
chown root: /var/spool/postfix/
chown root: /var/spool/postfix/pid
# Disable SMTPUTF8, because libraries (ICU) are missing in alpine
postconf -e smtputf8_enable=no
# Update aliases database. It's not used, but postfix complains if the .db file is missing
postalias /etc/postfix/aliases
# Disable local mail delivery
postconf -e mydestination=
# Don't relay for any domains
postconf -e relay_domains=
# Increase the allowed header size, the default (102400) is quite smallish
postconf -e "header_size_limit=4096000"
if [ ! -z "$MESSAGE_SIZE_LIMIT" ]; then
echo -e "‣ $notice Restricting message_size_limit to: ${emphasis}$MESSAGE_SIZE_LIMIT bytes${reset}"
postconf -e "message_size_limit=$MESSAGE_SIZE_LIMIT"
else
# As this is a server-based service, allow any message size -- we hope the
# sender knows what he is doing.
echo -e "‣ $info Using ${emphasis}unlimited${reset} message size."
postconf -e "message_size_limit=0"
fi
# Reject invalid HELOs
postconf -e smtpd_delay_reject=yes
postconf -e smtpd_helo_required=yes
postconf -e "smtpd_helo_restrictions=permit_mynetworks,reject_invalid_helo_hostname,permit"
postconf -e "smtpd_sender_restrictions=permit_mynetworks"
# Set up host name
if [ ! -z "$HOSTNAME" ]; then
echo -e "‣ $notice Setting myhostname: ${emphasis}$HOSTNAME${reset}"
postconf -e myhostname="$HOSTNAME"
else
postconf -# myhostname
fi
if [ -z "$RELAYHOST_TLS_LEVEL" ]; then
echo -e "‣ $info Setting smtp_tls_security_level: ${emphasis}may${reset}"
postconf -e "smtp_tls_security_level=may"
else
echo -e "‣ $notice Setting smtp_tls_security_level: ${emphasis}$RELAYHOST_TLS_LEVEL${reset}"
postconf -e "smtp_tls_security_level=$RELAYHOST_TLS_LEVEL"
fi
# Set up a relay host, if needed
if [ ! -z "$RELAYHOST" ]; then
echo -en "‣ $notice Forwarding all emails to ${emphasis}$RELAYHOST${reset}"
postconf -e "relayhost=$RELAYHOST"
# Alternately, this could be a folder, like this:
# smtp_tls_CApath
postconf -e "smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt"
if [ -n "$RELAYHOST_USERNAME" ] && [ -n "$RELAYHOST_PASSWORD" ]; then
echo -e " using username ${emphasis}$RELAYHOST_USERNAME${reset} and password ${emphasis}(redacted)${reset}."
echo "$RELAYHOST $RELAYHOST_USERNAME:$RELAYHOST_PASSWORD" >> /etc/postfix/sasl_passwd
postmap hash:/etc/postfix/sasl_passwd
postconf -e "smtp_sasl_auth_enable=yes"
postconf -e "smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd"
postconf -e "smtp_sasl_security_options=noanonymous"
postconf -e "smtp_sasl_tls_security_options=noanonymous"
else
echo -e " without any authentication. ${emphasis}Make sure your server is configured to accept emails coming from this IP.${reset}"
fi
else
echo -e "‣ $notice Will try to deliver emails directly to the final server. ${emphasis}Make sure your DNS is setup properly!${reset}"
postconf -# relayhost
postconf -# smtp_sasl_auth_enable
postconf -# smtp_sasl_password_maps
postconf -# smtp_sasl_security_options
fi
if [ ! -z "$MYNETWORKS" ]; then
echo -e "‣ $notice Using custom allowed networks: ${emphasis}$MYNETWORKS${reset}"
else
echo -e "‣ $info Using default private network list for trusted networks."
MYNETWORKS="127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
fi
postconf -e "mynetworks=$MYNETWORKS"
if [ ! -z "$INBOUND_DEBUGGING" ]; then
echo -e "‣ $notice Enabling additional debbuging for: ${emphasis}$MYNETWORKS${reset}"
postconf -e "debug_peer_list=$MYNETWORKS"
sed -i -E 's/^[ \t]*#?[ \t]*LogWhy[ \t]*.+$/LogWhy yes/' /etc/opendkim/opendkim.conf
if ! egrep -q '^LogWhy' /etc/opendkim/opendkim.conf; then
echo >> /etc/opendkim/opendkim.conf
echo "LogWhy yes" >> /etc/opendkim/opendkim.conf
fi
else
sed -i -E 's/^[ \t]*#?[ \t]*LogWhy[ \t]*.+$/LogWhy no/' /etc/opendkim/opendkim.conf
if ! egrep -q '^LogWhy' /etc/opendkim/opendkim.conf; then
echo >> /etc/opendkim/opendkim.conf
echo "LogWhy no" >> /etc/opendkim/opendkim.conf
fi
fi
if [ ! -z "$ALLOWED_SENDER_DOMAINS" ]; then
echo -en "‣ $info Setting up allowed SENDER domains:"
allowed_senders=/etc/postfix/allowed_senders
rm -f $allowed_senders $allowed_senders.db > /dev/null
touch $allowed_senders
for i in $ALLOWED_SENDER_DOMAINS; do
echo -ne " ${emphasis}$i${reset}"
echo -e "$i\tOK" >> $allowed_senders
done
echo
postmap $allowed_senders
postconf -e "smtpd_restriction_classes=allowed_domains_only"
postconf -e "allowed_domains_only=permit_mynetworks, reject_non_fqdn_sender reject"
postconf -e "smtpd_recipient_restrictions=reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_sender_access hash:$allowed_senders, reject"
# Since we are behind closed doors, let's just permit all relays.
postconf -e "smtpd_relay_restrictions=permit"
elif [ -z "$ALLOW_EMPTY_SENDER_DOMAINS" ]; then
echo -e "ERROR: You need to specify ALLOWED_SENDER_DOMAINS otherwise Postfix will not run!"
exit 1
fi
if [ ! -z "$MASQUERADED_DOMAINS" ]; then
echo -e "‣ $notice Setting up address masquerading: ${emphasis}$MASQUERADED_DOMAINS${reset}"
postconf -e "masquerade_domains = $MASQUERADED_DOMAINS"
postconf -e "local_header_rewrite_clients = static:all"
fi
if [ ! -z "$SMTP_HEADER_CHECKS" ]; then
if [ "$SMTP_HEADER_CHECKS" == "1" ]; then
echo -e "‣ $info Using default file for SMTP header checks"
SMTP_HEADER_CHECKS="regexp:/etc/postfix/smtp_header_checks"
fi
FORMAT=$(echo "$SMTP_HEADER_CHECKS" | cut -d: -f1)
FILE=$(echo "$SMTP_HEADER_CHECKS" | cut -d: -f2-)
if [ "$FORMAT" == "$FILE" ]; then
echo -e "‣ $warn No Postfix format defined for file ${emphasis}SMTP_HEADER_CHECKS${reset}. Using default ${emphasis}regexp${reset}. To avoid this message, set format explicitly, e.g. ${emphasis}SMTP_HEADER_CHECKS=regexp:$SMTP_HEADER_CHECKS${reset}."
FORMAT="regexp"
fi
if [ -f "$FILE" ]; then
echo -e "‣ $notice Setting up ${emphasis}smtp_header_checks${reset} to ${emphasis}$FORMAT:$FILE${reset}"
postconf -e "smtp_header_checks=$FORMAT:$FILE"
else
echo -e "‣ $error File ${emphasis}$FILE${reset} cannot be found. Please make sure your SMTP_HEADER_CHECKS variable points to the right file. Startup aborted."
exit 2
fi
fi
DKIM_ENABLED=
if [ -d /etc/opendkim/keys ] && [ ! -z "$(find /etc/opendkim/keys -type f ! -name .)" ]; then
DKIM_ENABLED=", ${emphasis}opendkim${reset}"
echo -e "‣ $notice Configuring OpenDKIM."
mkdir -p /var/run/opendkim
chown -R opendkim:opendkim /var/run/opendkim
dkim_socket=$(cat /etc/opendkim/opendkim.conf | egrep ^Socket | awk '{ print $2 }')
if [ $(echo "$dkim_socket" | cut -d: -f1) == "inet" ]; then
dkim_socket=$(echo "$dkim_socket" | cut -d: -f2)
dkim_socket="inet:$(echo "$dkim_socket" | cut -d@ -f2):$(echo "$dkim_socket" | cut -d@ -f1)"
fi
echo -e " ...using socket $dkim_socket"
postconf -e "milter_protocol=6"
postconf -e "milter_default_action=accept"
postconf -e "smtpd_milters=$dkim_socket"
postconf -e "non_smtpd_milters=$dkim_socket"
echo > /etc/opendkim/TrustedHosts
echo > /etc/opendkim/KeyTable
echo > /etc/opendkim/SigningTable
# Since it's an internal service anyways, it's safe
# to assume that *all* hosts are trusted.
echo "0.0.0.0/0" > /etc/opendkim/TrustedHosts
if [ ! -z "$ALLOWED_SENDER_DOMAINS" ]; then
for i in $ALLOWED_SENDER_DOMAINS; do
private_key=/etc/opendkim/keys/$i.private
if [ -f $private_key ]; then
echo -e " ...for domain ${emphasis}$i${reset}"
echo "mail._domainkey.$i $i:mail:$private_key" >> /etc/opendkim/KeyTable
echo "*@$i mail._domainkey.$i" >> /etc/opendkim/SigningTable
else
echo " ...$warn skipping for domain ${emphasis}$i${reset}. File $private_key not found!"
fi
done
fi
else
echo -e "‣ $info No DKIM keys found, will not use DKIM."
postconf -# smtpd_milters
postconf -# non_smtpd_milters
fi
# Use 587 (submission)
sed -i -r -e 's/^#submission/submission/' /etc/postfix/master.cf
if [ -d /docker-init.db/ ]; then
echo -e "‣ $notice Executing any found custom scripts..."
for f in /docker-init.db/*; do
case "$f" in
*.sh) chmod +x "$f"; echo -e "\trunning ${emphasis}$f${reset}"; . "$f" ;;
*) echo "$0: ignoring $f" ;;
esac
done
fi
echo -e "‣ $notice Starting: ${emphasis}rsyslog${reset}, ${emphasis}postfix${reset}$DKIM_ENABLED"
exec supervisord -c /etc/supervisord.conf